.\"     Title: nikto
.\"    Author: 
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\"      Date: 01/19/2010
.\"    Manual: 
.\"    Source: 
.\"
.TH "NIKTO" "1" "01/19/2010" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
nikto \- Scan web server for known vulnerabilities
.SH "SYNOPSIS"
.HP 21
\fB/usr/local/bin/nikto\fR [options...]
.SH "DESCRIPTION"
.PP
Examine a web server to find potential problems and security vulnerabilities, including:
.sp
.RS 4
\h'-04'\(bu\h'+03'Server and software misconfigurations
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'Default files and programs
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'Insecure files and programs
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'Outdated servers and programs
.RE
.PP
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment\&. It supports SSL, proxies, host authentication, IDS evasion and more\&. It can be updated automatically from the command\-line, and supports the optional submission of updated version data back to the maintainers\&.
.SH "OPTIONS"
.PP
Below are all of the Nikto command line options and explanations\&. A brief version of this text is available by running Nikto with the \-h (\-help) option\&.
.PP
\fB\-Cgidirs\fR
.RS 4
Scan these CGI directories\&. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively)\&. A literal value for a CGI directory such as "/cgi\-test/" may be specified (must include trailing slash)\&. If this is option is not specified, all CGI directories listed in config\&.txt will be tested\&.
.RE
.PP
\fB\-config\fR
.RS 4
Specify an alternative config file to use instead of the config\&.txt located in the install directory\&.
.RE
.PP
\fB\-dbcheck\fR
.RS 4
Check the scan databases for syntax errors\&.
.RE
.PP
\fB\-Display\fR
.RS 4
Control the output that Nikto shows\&. See Chapter 5 for detailed information on these options\&. Use the reference number or letter to specify the type, multiple may be used:
.sp
1 \- Show redirects
.sp
2 \- Show cookies received
.sp
3 \- Show all 200/OK responses
.sp
4 \- Show URLs which require authentication
.sp
D \- Debug Output
.sp
V \- Verbose Output
.RE
.PP
\fB\-evasion\fR
.RS 4
Specify the LibWhisker IDS evasion technique to use (see the LibWhisker docs for detailed information on these)\&. Use the reference number to specify the type, multiple may be used:
.sp
1 \- Random URI encoding (non\-UTF8)
.sp
2 \- Directory self\-reference (/\&./)
.sp
3 \- Premature URL ending
.sp
4 \- Prepend long random string
.sp
5 \- Fake parameter
.sp
6 \- TAB as request spacer
.sp
7 \- Change the case of the URL
.sp
8 \- Use Windows directory separator (\e)
.RE
.PP
\fB\-findonly\fR
.RS 4
Only discover the HTTP(S) ports, do not perform a security scan\&. This will attempt to connect with HTTP or HTTPS, and report the Server header\&.
.RE
.PP
\fB\-Format\fR
.RS 4
Save the output file specified with \-o (\-output) option in this format\&. If not specified, the default will be taken from the file extension specified in the \-output option\&. Valid formats are:
.sp
csv \- a comma\-seperated list
.sp
htm \- an HTML report
.sp
txt \- a text report
.sp
xml \- an XML report
.RE
.PP
\fB\-host\fR
.RS 4
Host(s) to target\&. Can be an IP address, hostname or text file of hosts\&. A single dash (\-) maybe used for stdout\&. Can also parse nmap \-oG style output
.RE
.PP
\fB\-Help\fR
.RS 4
Display extended help information\&.
.RE
.PP
\fB\-id\fR
.RS 4
ID and password to use for host Basic host authentication\&. Format is "id:password"\&.
.RE
.PP
\fB\-list\-plugins\fR
.RS 4
Will list all plugins that Nikto can run against targets and then will exit without performing a scan\&. These can be tuned for a session using the \-plugins option\&.
.sp
The output format is:
.sp
Plugin
\fIname\fR
.sp
\ \&\fIfull name\fR
\-
\fIdescription\fR
.sp
\ \&Written by
\fIauthor\fR, Copyright (C)
\fIcopyright\fR
.RE
.PP
\fB\-mutate\fR
.RS 4
Specify mutation technique\&. A mutation will cause Nikto to combine tests or attempt to guess values\&. These techniques may cause a tremendous amount of tests to be launched against the target\&. Use the reference number to specify the type, multiple may be used:
.sp
1 \- Test all files with all root directories
.sp
2 \- Guess for password file names
.sp
3 \- Enumerate user names via Apache (/~user type requests)
.sp
4 \- Enumerate user names via cgiwrap (/cgi\-bin/cgiwrap/~user type requests)
.sp
5 \- Attempt to brute force sub\-domain names, assume that the host name is the parent domain
.sp
6 \- Attempt to guess directory names from the supplied dictionary file
.RE
.PP
\fB\-mutate\-options\fR
.RS 4
Provide extra information for mutates, e\&.g\&. a dictionary file
.RE
.PP
\fB\-nolookup\fR
.RS 4
Do not perform name lookups on IP addresses\&.
.RE
.PP
\fB\-nossl\fR
.RS 4
Do not use SSL to connect to the server\&.
.RE
.PP
\fB\-no404\fR
.RS 4
Disable 404 (file not found) checking\&. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device\&. This will generally lead to more false positives being discovered\&.
.RE
.PP
\fB\-output\fR
.RS 4
Write output to the file specified\&. The format used will be taken from the file extension\&. This can be over\-riden by using the \-Format option (e\&.g\&. to write text files with a different extenstion\&. Existing files will have new information appended\&.
.RE
.PP
\fB\-plugins\fR
.RS 4
Select which plugins will be run on the specified targets\&. A comma separated list should be provided which lists the names of the plugins\&. The names can be found by using \-list\-plugins\&.
.sp
There are two special entries: ALL, which specifies all plugins shall be run and NONE, which specifies no plugins shall be run\&. The default is ALL
.RE
.PP
\fB\-port\fR
.RS 4
TCP port(s) to target\&. To test more than one port on the same host, specify the list of ports in the \-p (\-port) option\&. Ports can be specified as a range (i\&.e\&., 80\-90), or as a comma\-delimited list, (i\&.e\&., 80,88,90)\&. If not specified, port 80 is used\&.
.RE
.PP
\fB\-Pause\fR
.RS 4
Seconds to delay between each test\&.
.RE
.PP
\fB\-root\fR
.RS 4
Prepend the value specified to the beginning of every request\&. This is useful to test applications or web servers which have all of their files under a certain directory\&.
.RE
.PP
\fB\-ssl\fR
.RS 4
Only test SSL on the ports specified\&. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first\&.
.RE
.PP
\fB\-Single\fR
.RS 4
Perform a single request to a target server\&. Nikto will prompt for all options which can be specified, and then report the detailed output\&. See Chapter 5 for detailed information\&.
.RE
.PP
\fB\-timeout\fR
.RS 4
Seconds to wait before timing out a request\&. Default timeout is 10 seconds\&.
.RE
.PP
\fB\-Tuning\fR
.RS 4
Tuning options will control the test that Nikto will use against a target\&. By default, if any options are specified, only those tests will be performed\&. If the "x" option is used, it will reverse the logic and exclude only those tests\&. Use the reference number or letter to specify the type, multiple may be used:
.sp
0 \- File Upload
.sp
1 \- Interesting File / Seen in logs
.sp
2 \- Misconfiguration / Default File
.sp
3 \- Information Disclosure
.sp
4 \- Injection (XSS/Script/HTML)
.sp
5 \- Remote File Retrieval \- Inside Web Root
.sp
6 \- Denial of Service
.sp
7 \- Remote File Retrieval \- Server Wide
.sp
8 \- Command Execution / Remote Shell
.sp
9 \- SQL Injection
.sp
a \- Authentication Bypass
.sp
b \- Software Identification
.sp
c \- Remote Source Inclusion
.sp
x \- Reverse Tuning Options (i\&.e\&., include all except specified)
.sp
The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character\&.
.RE
.PP
\fB\-useproxy\fR
.RS 4
Use the HTTP proxy defined in the configuration file\&.
.RE
.PP
\fB\-update\fR
.RS 4
Update the plugins and databases directly from cirt\&.net\&.
.RE
.PP
\fB\-Version\fR
.RS 4
Display the Nikto software, plugin and database versions\&.
.RE
.PP
\fB\-vhost\fR
.RS 4
Specify the Host header to be sent to the target\&.
.RE
.SH "FILES"
.PP
\fInikto\&.conf\fR
.RS 4
The Nikto configuration file\&. This sets Nikto\'s global options\&. Several nikto\&.conf files may exist and are parsed in the below order\&. As each configuration file is loaded is supersedes any previously set configuration:
.sp
.RS 4
\h'-04'\(bu\h'+03'System wide (e\&.g\&. /etc/nikto\&.conf)
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'Home directory (e\&.g\&. $HOME/nikto\&.conf)
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'Current directory (e\&.g\&. \&./nikto\&.conf)
.RE
.RE
.PP
\fI${NIKTO_DIR}/plugins/db*\fR
.RS 4
db files are the databases that nikto uses to check for vulnerabilities and issues within the web server\&.
.RE
.PP
\fI${NIKTO_DIR}/plugins/*\&.plugin\fR
.RS 4
All nikto\'s plugins exist here\&. Nikto itself is just a wrapper script to manage CLI and pass through to the plugins\&.
.RE
.PP
\fI${NIKTO_DIR}/templates\fR
.RS 4
Contains the templates for nikto\'s output formats\&.
.RE
.SH "BUGS"
.PP
The current features are not supported:
.sp
.RS 4
\h'-04'\(bu\h'+03'SOCKS Proxies
.RE
.SH "AUTHORS"
.PP
Nikto was originally written and maintained by Sullo, CIRT, Inc\&. It is currently maintained by David Lodge\&. See the main documentation for other contributors\&.
.PP
All code is (C) CIRT, Inc\&., except LibWhisker which is (C) rfp\&.labs (wiretrip\&.net)\&. Other portions of code may be (C) as specified\&.
.SH "SEE ALSO"
.PP

\fINikto Homepage\fR\&[1]
.SH "NOTES"
.IP " 1." 4
Nikto Homepage
.RS 4
\%http://www.cirt.net/
.RE
